From: Huai-Yuan Liu qq810974084@gmail.com
stable inclusion from stable-v6.6.33 commit 335cc45ef2b81b68be63c698b4f867a530bdf7a5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9T5PA CVE: CVE-2024-36014
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit a1f95aede6285dba6dd036d907196f35ae3a11ea ]
In malidp_mw_connector_reset, new memory is allocated with kzalloc, but no check is performed. In order to prevent null pointer dereferencing, ensure that mw_state is checked before calling __drm_atomic_helper_connector_reset.
Fixes: 8cbc5caf36ef ("drm: mali-dp: Add writeback connector") Signed-off-by: Huai-Yuan Liu qq810974084@gmail.com Signed-off-by: Liviu Dudau liviu.dudau@arm.com Link: https://patchwork.freedesktop.org/patch/msgid/20240407063053.5481-1-qq810974... Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Chen Zhongjin chenzhongjin@huawei.com --- drivers/gpu/drm/arm/malidp_mw.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/arm/malidp_mw.c b/drivers/gpu/drm/arm/malidp_mw.c index 626709bec6f5..2577f0cef8fc 100644 --- a/drivers/gpu/drm/arm/malidp_mw.c +++ b/drivers/gpu/drm/arm/malidp_mw.c @@ -72,7 +72,10 @@ static void malidp_mw_connector_reset(struct drm_connector *connector) __drm_atomic_helper_connector_destroy_state(connector->state);
kfree(connector->state); - __drm_atomic_helper_connector_reset(connector, &mw_state->base); + connector->state = NULL; + + if (mw_state) + __drm_atomic_helper_connector_reset(connector, &mw_state->base); }
static enum drm_connector_status